Changelog Development Documentation Download libcurl Mailing Lists News
cURL / Mailing Lists / curl-library / Single Mail

curl-library

[PATCH] axtls.c: honoring VERIFYHOST option

From: Aleksey Tulinov <aleksey.tulinov_at_gmail.com>
Date: Fri, 7 Jun 2013 16:54:26 +0300

---
 lib/axtls.c |   26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)
diff --git a/lib/axtls.c b/lib/axtls.c
index 59c8a83..9e2f3cd 100644
--- a/lib/axtls.c
+++ b/lib/axtls.c
@@ -342,21 +342,29 @@ Curl_axtls_connect(struct connectdata *conn,
   /* RFC2818 checks */
   if(found_subject_alt_names && !found_subject_alt_name_matching_conn) {
     /* Break connection ! */
-    Curl_axtls_close(conn, sockindex);
-    free_ssl_structs(ssl_ctx, ssl);
-    failf(data, "\tsubjectAltName(s) do not match %s\n", conn->host.dispname);
-    return CURLE_PEER_FAILED_VERIFICATION;
+    if(data->set.ssl.verifyhost) {
+      Curl_axtls_close(conn, sockindex);
+      free_ssl_structs(ssl_ctx, ssl);
+      failf(data, "\tsubjectAltName(s) do not match %s\n",
conn->host.dispname);
+      return CURLE_PEER_FAILED_VERIFICATION;
+    }
+    else
+      infof(data, "\tsubjectAltName(s) do not match %s\n",
conn->host.dispname);
   }
   else if(found_subject_alt_names == 0) {
     /* Per RFC2818, when no Subject Alt Names were available, examine the peer
        CN as a legacy fallback */
     peer_CN = ssl_get_cert_dn(ssl, SSL_X509_CERT_COMMON_NAME);
     if(peer_CN == NULL) {
-      /* Similar behaviour to the OpenSSL interface */
-      Curl_axtls_close(conn, sockindex);
-      free_ssl_structs(ssl_ctx, ssl);
-      failf(data, "unable to obtain common name from peer certificate");
-      return CURLE_PEER_FAILED_VERIFICATION;
+      if(data->set.ssl.verifyhost) {
+        /* Similar behaviour to the OpenSSL interface */
+        Curl_axtls_close(conn, sockindex);
+        free_ssl_structs(ssl_ctx, ssl);
+        failf(data, "unable to obtain common name from peer certificate");
+        return CURLE_PEER_FAILED_VERIFICATION;
+      }
+      else
+        infof(data, "unable to obtain common name from peer certificate");
     }
     else {
       if(!Curl_cert_hostcheck((const char *)peer_CN, conn->host.name)) {
-- 
1.7.9.5
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2001-09-17